dittybopper:To the best of me knowledge, I was the first one to publish the idea of using 10-sided dice to generate OTPs, and as you can see I've also experimented with other manual methods of encryption.

I forgot to add: I can't tell from the photo, but do those dice have sharp edges?

A lot of dice are injection molded and then tumbled to smooth their edges, and you should not be using them to generate cryptographically secure random data. Dice are less uniform than people think---casinos are really the only ones who obsess about exacting quality standards in dice, and really they only care about D6s.

But again, the main security risk of a OTP is not some analyst finding a tiny bias in your dice, but simply intercepting and scanning the key material after you necessarily write it down and give a copy to someone else.

Xcott:dittybopper: Yeah, but manual, paper OTPs are about as foolproof a solution as you are going to find. The rules are simple, and when followed, they *WORK*.

That's not what "foolproof" means. OTPs are actually the opposite of foolproof: they fail catastrophically when people cut a few corners or make a few mistakes, and the onerous key requirements actually encourage those mistakes.

OTPs are fragile in the sense that if someone ever cuts a corner and reuses a pad, anyone who intercepts your transmissions can immediately detect the reuse, and it's not that hard to extract the messages in full when this happens. It's hard to express just how embarrassingly bad this is by modern standards: a cipher should never fail this dramatically when a key is misused or used past its mandated lifetime.

On top of this, the OTP requires that key material be written down and stored in two different places, which again is pretty awful security by modern standards, or even 1970s standards. You should only need a key or passphrase that you can memorize---you should never have to write down a key---and you shouldn't have to share it with anyone, even the person with whom you are communicating.

The only reason to use an OTP is that the encryption method is theoretically unbreakable if all practical matters are ignored. But you only needed that theoretical unbreakability 40-50 years ago, before people figured out how to make reliably strong cipher algorithms. And when you factor in the practical matters, it's a real D- of a cipher.

This is why cryptographers are conditioned to hear "one-time pad" and think "crackpot." If you're writing cryptographic software and you want to guarantee that people will declare it snake oil, use the phrase "one-time pad" in the marketing copy.

I'm a former Signals Intelligence professional (go ahead and google 'ditty bopper').

Since I've been out of that business, it's been a bit of a serious hobby for me. To the best of me knowledge, I was the first one to publish the idea of using 10-sided dice to generate OTPs, and as you can see I've also experimented with other manual methods of encryption.

There is a reason that numbers stations still exist, and why those stations still transmit their messages using one time pads: Because when used properly (especially avoiding the use of a computer), they are forever safe.

Think about that: No one needs higher security than spies, and what do they use? OTPs.

dittybopper:Xcott: dittybopper: Color me skeptical that you could ever make it work consistently. After all, the most simple countermeasure would be to just type slowly in an even rhythm, or to consciously vary the timing.

Yes, and the simple countermeasure to fingerprint detection is to wear gloves. That's why fingerprints never helped convict a criminal---because everyone just started wearing gloves all the time starting in 1892.

Seriously, how many people do you expect to suddenly decide to type slowly in an even rhythm to prevent timing attacks on their computer? Even people aware of the need for that kind of countermeasure are going to try that for 30 seconds and say "fark it." Countermeasures are effectively a non-issue. It's like pointing out that you can defeat speaker identification by talking like Meatball all the time---great, but nobody does that, and nobody's going to do that.

Actually, you can make this completely moot by simply doing your typing in a secure facility. Which is where you were going to store the documents anyway.

Again, we're discussing people for whom security isn't some afterthought, but a way of life, and they are guarding secrets that you have no clue how tightly they are held. I've been inside that world.

For very limited distribution, highly sensitive documents, where you can't afford to have them leaked, typing them directly onto paper instead of into a computer, where some nosy sysadmin might grab them, or some disgruntled worker might snarf on to a thumb drive . That way the only real copy is paper, and paper is harder to sneak out of a secure facility than electronic data on something as small as a thumb drive or a microSD card.

How many typewritten documents do you think you could sneak past the guards that are there specifically to prevent that sort of thing?

Plus, with paper, if you take the only copy, it's ...

Type at a constant rate of characters, lol. I can see the want ads now. Wanted: typist who can't type and can't learn. Must have no credit issues and be able to hold a top secret/TSC clearance. Do you really think that the Russians bothered to bug the noise IBM selectrics made in an insecure location?

I think the big question is, are they storing plaintext or cipher text in the file drawers. Ciphertext would be a pain, but vastly more secure than anything the NSA uses. Any camera will let you put as many hardcopies you want on a SDHC (and the camera is only barely larger. Smart installations will shoot you for the SDHC as soon as the camera). It might be slightly less clunky, but I'm sure that the Russians will be far more to the point if they have to put everything in hardcopy to a manual typewriter instead of thousands of slides of power point. You could send the NSA some ciphertext, but the whole point of the place is they are already getting tons of that anyway, what they need are the keys and the plaintext.

"Again, we're discussing people for whom security isn't some afterthought, but a way of life, and they are guarding secrets that you have no clue how tightly they are held. I've been inside that world." - Dittybopper

So was Snowden. So was Manning. Security is hard: screw up once and it is over. Attacking is easy, a .001 average means you got what you wanted.

Fullmetalpanda: dittybopper: Actually makes sense, and it's why I use a manual typewriter to make one time pads: No data remanence issues.

Note that if you are copying a sufficiently slow source of random data (i.e. you get the next character after you typed the last one) it is next to impossible to determine the keypress. Typing ciphertext is going to brutal to descramble (all errors won't be recovered and will really screw up decryption attempts. Will be utterly useless for codebreaking). Type cleartext and I bet you will never manage to get the rhythm off enough after doing it for awhile.

Hitlersbrain:I seriously doubt these guys were ever REALLY a super power. More like a super hyped paper tiger.They have had the most effective space program from the 1950s to 2013, with a small break when they lost their vision of simple craft with the N1 (i.e. when we went to the moon). They also have had the bomb (including Sakharov's H-bomb) for a good long time (conquering Nazi Germany helps bring in a few spoils). US spy agencies had to lie their tounges black over their conventional firepower, because they really weren't in a position to invade anybody outside the Iron Curtain. They also managed to do all this starting from a mideval kingdom in the early twentieth century that was invaded twice during the whole process; the Romanov in charge of the Army didn't care that he only had "two weeks" worth of bullets before WWI (note that all sides assumed they would shoot about 1% of what they actually used) because "things would be decided with lance and saber as always". Makes you wonder how far we would be ahead if we were the ones who tried communism.

Xcott:Encryption pads are never reused, except when some dimwit did reuse them.

I don't think the Soviets were being dimwits, necessarily. It seems that they tried to 'stretch' their limited OTP generation capability during the extremely chaotic beginning of WWII for them by reusing a relatively small number of pad pages.

Don't forget that Venona managed to decode only something like 1 to 3% of the total amount of Soviet traffic that the US intercepted, and it took years to get much of it (though some was decoded quickly).

Back then, they may have believed that they could safely re-use the pads, if they did it in a limited way. They used code-names for people, organizations, and projects, and they may have decided that the slight risk was acceptable.

We have something they didn't have: A historical example of why it's a very bad idea, the revelations about the Venona Project.

One time pads were relatively new in 1941, having been invented back around 1920 or so. Today, we know better.

dittybopper:Xcott: dittybopper: Ribbons went into burn bags when they were used up.

So did one-time pads. And yet, Venona was still a real thing that happened.

The pads that were used for the messages broken in the Venona program didn't: They were re-used, which is how those messages were broken.

[thats-the-joke.jpg]

Encryption pads are never reused, except when some dimwit did reuse them. Just like confidential information is never allowed to reside unencrypted on a laptop that gets stolen at the airport, and just like all AOL search query information has to be deleted after 1 month and never put up on a web server for a grad student at Carnegie Mellon.

Typewriter ribbons present a security weakness and opportunity for surveillance even though, by official policy, they are supposed to be burned.

Xcott: dittybopper: Color me skeptical that you could ever make it work consistently. After all, the most simple countermeasure would be to just type slowly in an even rhythm, or to consciously vary the timing.

Yes, and the simple countermeasure to fingerprint detection is to wear gloves. That's why fingerprints never helped convict a criminal---because everyone just started wearing gloves all the time starting in 1892.

Seriously, how many people do you expect to suddenly decide to type slowly in an even rhythm to prevent timing attacks on their computer? Even people aware of the need for that kind of countermeasure are going to try that for 30 seconds and say "fark it." Countermeasures are effectively a non-issue. It's like pointing out that you can defeat speaker identification by talking like Meatball all the time---great, but nobody does that, and nobody's going to do that.

Actually, you can make this completely moot by simply doing your typing in a secure facility. Which is where you were going to store the documents anyway.

Again, we're discussing people for whom security isn't some afterthought, but a way of life, and they are guarding secrets that you have no clue how tightly they are held. I've been inside that world.

For very limited distribution, highly sensitive documents, where you can't afford to have them leaked, typing them directly onto paper instead of into a computer, where some nosy sysadmin might grab them, or some disgruntled worker might snarf on to a thumb drive . That way the only real copy is paper, and paper is harder to sneak out of a secure facility than electronic data on something as small as a thumb drive or a microSD card.

How many typewritten documents do you think you could sneak past the guards that are there specifically to prevent that sort of thing?

Plus, with paper, if you take the only copy, it's going to be noticed that it's missing at some point. You can steal electronic data without physically removing it. Of course, there are audit trails that make that harder to do unnoticed, but if you've got superuser access, there are ways around that if you are smart, or, failing that, if you don't care if they find out by the next quarterly data audit because you'll be in another country by then.

dittybopper:Color me skeptical that you could ever make it work consistently. After all, the most simple countermeasure would be to just type slowly in an even rhythm, or to consciously vary the timing.

Yes, and the simple countermeasure to fingerprint detection is to wear gloves. That's why fingerprints never helped convict a criminal---because everyone just started wearing gloves all the time starting in 1892.

Seriously, how many people do you expect to suddenly decide to type slowly in an even rhythm to prevent timing attacks on their computer? Even people aware of the need for that kind of countermeasure are going to try that for 30 seconds and say "fark it." Countermeasures are effectively a non-issue. It's like pointing out that you can defeat speaker identification by talking like Meatball all the time---great, but nobody does that, and nobody's going to do that.

No, it isn't. That's just what humanities majors call this stuff when writing "cyberpunk" novels and role playing game sourcebooks. In fact, nobody has called anything "phreaking" since people actually did phreaking.

For an excellent demonstration of EM analysis, check out Markus Kuhn's paper on Soft Tempest (IH 1998), where he demonstrates how to capture the picture on a CRT monitor from its emissions. Later, he demonstrated that you can do this without EM: because CRT monitors draw an image one pixel at a time, simply aiming a telescope and a photmultiplier tube at the monitor glare on your walls and sampling it at the right rate can be used to reconstruct your monitor display at a distance.

rumpelstiltskin:The keystroke analysis could be based on the idea that every hammer travels a different distance from its resting point to the point of impact, and then returns the same distance. That doesn't seem trivial to analyze when someone is typing quickly; you have three sounds for each key, and you need to sort them all out. But it definitely doesn't seem impossible.

The keystroke analysis papers I've read are instead based on the slight difference in time between keypresses. For example, when you type "derp", the time between 'e' and 'r' is consistently different than the time between 'r' and 'p'. This fact was used to catch passwords on earlier versions of SSH, because in some circumstances your encrypted keypresses would pass over a network one at a time, and the inter-key timing could be used to prioritize the guesses needed to brute-force your password. This technique can also track key presses from an audio recording.

FullMetalPanda:dittybopper: Actually makes sense, and it's why I use a manual typewriter to make one time pads: No data remanence issues.

They can tell exactly what you're typing by just hearing you type

1. I doubt that. Too much variation in the strike of a single character with a manual typewriter based upon how you hit the key. You might be able to do it with electric typewriters, but I suspect that you need to put the microphone actually *IN* the typewriter for it to work. Recording the sound from across the room isn't going to

2. Even *IF* you can, you need access to the room where the document is being typed. Bugging a SCIF (or it's Russian equivalent) is a neat trick if you can manage it, which you almost certainly can't. Even if you put a bug in a typewriter, those sorts of areas are specifically designed to block electromagnetic radiation from leaking out, so a wireless bug isn't going to work, and a wired one would be too easily found.